Obtaining IP Addresses via LSL?

Hi guys,

I was wondering if it is possible to obtain an IP address by using LSL, via a touch event, for example (ie, someone touches a scripted prim, and their IP address is obtained).

I understand that this might be a sensitive area, given the scope for griefing, but I do have a very valid (non-griefing) use for such a function (concerning Opensim).

Any ideas?

Rock

I am pretty sure this is not possible and really hope it is not.

Last thing we need are more "I tried to kidnap my SL lover" episodes in RL.

With IP addresses SL people can track down your real name, your address, and more.

Big fat NO - no matter your reason.

And seeing how you see the "scope for griefing" you still would want this information as if you would be the person that could be trusted with this data? Uh, no.

Please correct my logic if I am wrong.

Couldn't a "touched" object change the parcel media stream? Then if the "toucher" has media playing their IP shows up on that site/music stream/etc?

If the "touched" object logs the AV and time and in turn so does the website with IP addy, then the IP is connectible with the AV.

I actually really hope that I am wrong. Since it looks pretty easy...


Obvious work around is not playing media or music on untrusted parcels..then i suppose you may click wildly without worry of your IP getting out.

The scripted object, deeded to the group owning the land, would do something like this

And then on your server

All I want is for people to stop saying IP addresses are secret info x_x

Well, given that more directed attacks can be done against someone's IP address than their UUID, I think it is good that it is "secret", at least to other people who otherwise have no "need to know".

It is a common tactic in online gaming to find out what IP address your opponent using, and then direct a zombie node or bot net to DDoS that IP address to knock them out of the game, or at the very least, lag their play enough for them to lose the match.

There are a number of reasons one wouldnt want their static IP address captured by people in SL or any other virtual world/platform/game they play.

Its not about the IP address being 'a secret', its about what can be done with them in the wrong hands with the right access.

Unfortunately the "wrong hands" already know this and much more, plus, more importantly, they know what to actually do with the ip addresses.

Someone would be well off launching a ddos attack from within SL instead, be assured!

To be honest, I'm quite surprised at how concerned folks are about IP addresses. You can get a rough geographic location (narrowed down to maybe a city), but for domestic Internet connections, that's about it. (Try running an online "whois" on your own IP address, and see what you can find... it'll only turn up the details about your ISP).

Bear in mind that *any* website you access has your IP address logged, even if all you see of it is an advertising image channeled from them via FaceBook or something. And what's worse, with an estimated 70-80% of major websites vulnerable to Cross Site Scripting (XSS) attacks (which can steal login sessions and whatever else the site stores in cookie data), you're at far greater risk just using your web-browser than in SL!

At the end of the day, it's not as though IP addresses are hard to figure out anyway (well, not unless IPv6 suddenly gets implemented worldwide!). Relying on safety just because nobody knows your IP address is like taking a midnight stroll in a bad neighbourhood and thinking you're safe just because you're wearing a disguise.


(I didn't mean that in a harsh way against anyone or anything... I just get quite frustrated by common computing misconceptions!)

I've always been a proponent for obfuscating the user's IP address, not because it increases security, but so that it makes it harder to target a person.

Just because something is inherently insecure doesn't mean you should hand them the keys but on the flip side of that you shouldn't be dedicating excessive resources to secure something that cannot be secured.

P.S. You can configure Quicktime to use a proxy.

Hi,

I really didn't want to get into the arguments for and against whether we should treat IP addresses as 'secret' or not.

However, back to a purely scripting question, it appears it can be done, but by using external calls, either to a video or music stream, or by providing a clickable link to an external website, where I control either the stream or the website, both of which could be set up to log visitor's IP addresses, then relay that info to me.

I wish to do this to enable friends of mine to log into my OpenSim, with their IP address set up in the access lists automatically, by touching a prim in-world, and the mechanics being largely done with a VB script on my own PC that sets things up. I have had several computer-challenged friends have all sorts of trouble providing me with their IP address (despite clear step-by-step instructions), and I thought a simple inworld 'Click this Prim' would solve this for them.

Again, it is only to be used by my SL friends (who trust me, and I trust them in return), who WISH to provide me with their IP address, to visit me in my OpenSim.

Thanks for the suggestions already provided via in-world notecards (which prevents details from appearing in open forums, if people really believe that information for obtaining an IP address should be kept secret).

Rock

Does the site whatismyipaddress.com give the kind of results the poster is looking to get from his friends?

If so I would think they should be able to cut and paste the result.

Yes Suezanne, this gives exactly the result I am looking for, and I have been using a similar website, http://checkip.dyndns.org/ to achieve the same.

However, as I want this to be purely automatic, with no cut and past errors, I am looking to create a webpage of my own, that uses the HTTP_SERVER_VARS["REMOTE_ADDR"] server variable, then passes the variable to my VB script to set up the access list.

This problem was a lot easier than I thought, I just have to script a prim, so that when clicked it will send the clicker to my webpage. The rest is done with standard php and a VB script.

Thanks to all who responded,

Rock

If you're using llLoadURL be sure to include some kind of validation in the URL to avoid the risk of the webpage being abused. For example you can create an MD5 checksum in LSL using llMD5String. For the hash you can use the avie name and/or UUID and tack on some random characters. Recreate the checksum the same way in php using md5() and ensure you get the same result before continuing. Maybe other/better ways but this is how I did it.

PS: I agree with Strife about hiding an IP address when possible. Security through obfuscation is never the whole solution but it's better than handing information over on a plate. An IP address with a little craftyness/social engineering can also be used to track someone down in real-life (I gave a random madeup scenario in another thread yesterday or day before). In my case a traceroute reveals the name of my town as part of one of the routers hostname for the final hops. Don't know how common this is (I use Virgin Media cable internet in the UK) but those unreliable IP-to-location lookup services arent the only way to dig up location info.

Thanks for that Anthony. I have now added that to my 'to-do' list.

I am using a simple php script that will obtain the IP address, the only info required for the access list. However, I was amazed to see on the web, easily Google-able, java scripts that could reveal:

Name of browser
Browser Version
Operating System
Browser Agent
History Length
Colours
Colour Depth
Screen Width
Screen Height
Screen Max Width
Screen Max Height
Javascript Version
Browser Font Smoothing
Java Enabled
IP Address
Plug Ins
Country
City

and a bunch more. All this, just by visiting a website!

Rock

Most of that is data points I've typically seen in results with web analytics systems, with the exception of history length, browser font smoothing, and plugins.